Design Policy generation: Good policy is one that allows only the actions necessary for the intended functionality of the application but denies everything else. Complexity of policy language increases difficulty of creating good policies. Automatic policy generation: Policy statements are independent. Policy can be extended by appending new policy statements. Run application and record system calls. Every system call not covered by current policy generates a new statement. Need to assume non-malicious application and input data.